automatic import of haproxyopeneuler24.03_LTS

16 files changed, 1696 insertions, 0 deletions

diff --git a/.gitignore b/.gitignore
index e69de29..eab06fc 100644
--- a/.gitignore
+++ b/.gitignore
@@ -0,0 +1 @@
+/haproxy-2.4.22.tar.gz
diff --git a/RHEL-18169_h1-reject-special-char-URI-path-component.patch b/RHEL-18169_h1-reject-special-char-URI-path-component.patch
new file mode 100644
index 0000000..b3af9cd
--- /dev/null
+++ b/RHEL-18169_h1-reject-special-char-URI-path-component.patch
@@ -0,0 +1,119 @@
+From e5a741f94977840c58775b38f8ed830207f7e4d0 Mon Sep 17 00:00:00 2001
+From: Willy Tarreau <w@1wt.eu>
+Date: Tue, 8 Aug 2023 16:17:22 +0200
+Subject: [PATCH] BUG/MINOR: h1: do not accept '#' as part of the URI component
+
+Seth Manesse and Paul Plasil reported that the "path" sample fetch
+function incorrectly accepts '#' as part of the path component. This
+can in some cases lead to misrouted requests for rules that would apply
+on the suffix:
+
+    use_backend static if { path_end .png .jpg .gif .css .js }
+
+Note that this behavior can be selectively configured using
+"normalize-uri fragment-encode" and "normalize-uri fragment-strip".
+
+The problem is that while the RFC says that this '#' must never be
+emitted, as often it doesn't suggest how servers should handle it. A
+diminishing number of servers still do accept it and trim it silently,
+while others are rejecting it, as indicated in the conversation below
+with other implementers:
+
+   https://lists.w3.org/Archives/Public/ietf-http-wg/2023JulSep/0070.html
+
+Looking at logs from publicly exposed servers, such requests appear at
+a rate of roughly 1 per million and only come from attacks or poorly
+written web crawlers incorrectly following links found on various pages.
+
+Thus it looks like the best solution to this problem is to simply reject
+such ambiguous requests by default, and include this in the list of
+controls that can be disabled using "option accept-invalid-http-request".
+
+We're already rejecting URIs containing any control char anyway, so we
+should also reject '#'.
+
+In the H1 parser for the H1_MSG_RQURI state, there is an accelerated
+parser for bytes 0x21..0x7e that has been tightened to 0x24..0x7e (it
+should not impact perf since 0x21..0x23 are not supposed to appear in
+a URI anyway). This way '#' falls through the fine-grained filter and
+we can add the special case for it also conditionned by a check on the
+proxy's option "accept-invalid-http-request", with no overhead for the
+vast majority of valid URIs. Here this information is available through
+h1m->err_pos that's set to -2 when the option is here (so we don't need
+to change the API to expose the proxy). Example with a trivial GET
+through netcat:
+
+  [08/Aug/2023:16:16:52.651] frontend layer1 (#2): invalid request
+    backend <NONE> (#-1), server <NONE> (#-1), event #0, src 127.0.0.1:50812
+    buffer starts at 0 (including 0 out), 16361 free,
+    len 23, wraps at 16336, error at position 7
+    H1 connection flags 0x00000000, H1 stream flags 0x00000810
+    H1 msg state MSG_RQURI(4), H1 msg flags 0x00001400
+    H1 chunk len 0 bytes, H1 body len 0 bytes :
+
+    00000  GET /aa#bb HTTP/1.0\r\n
+    00021  \r\n
+
+This should be progressively backported to all stable versions along with
+the following patch:
+
+    REGTESTS: http-rules: add accept-invalid-http-request for normalize-uri tests
+
+Similar fixes for h2 and h3 will come in followup patches.
+
+Thanks to Seth Manesse and Paul Plasil for reporting this problem with
+detailed explanations.
+
+(cherry picked from commit 2eab6d354322932cfec2ed54de261e4347eca9a6)
+Signed-off-by: Amaury Denoyelle <adenoyelle@haproxy.com>
+(cherry picked from commit 9bf75c8e22a8f2537f27c557854a8803087046d0)
+Signed-off-by: Amaury Denoyelle <adenoyelle@haproxy.com>
+(cherry picked from commit 9facd01c9ac85fe9bcb331594b80fa08e7406552)
+Signed-off-by: Amaury Denoyelle <adenoyelle@haproxy.com>
+(cherry picked from commit 832b672eee54866c7a42a1d46078cc9ae0d544d9)
+Signed-off-by: Willy Tarreau <w@1wt.eu>
+---
+ src/h1.c | 15 +++++++++++----
+ 1 file changed, 11 insertions(+), 4 deletions(-)
+
+diff --git a/src/h1.c b/src/h1.c
+index eeda311b7..91d3dc47a 100644
+--- a/src/h1.c
++++ b/src/h1.c
+@@ -480,13 +480,13 @@ int h1_headers_to_hdr_list(char *start, const char *stop,
+ 	case H1_MSG_RQURI:
+ 	http_msg_rquri:
+ #ifdef HA_UNALIGNED_LE
+-		/* speedup: skip bytes not between 0x21 and 0x7e inclusive */
++		/* speedup: skip bytes not between 0x24 and 0x7e inclusive */
+ 		while (ptr <= end - sizeof(int)) {
+-			int x = *(int *)ptr - 0x21212121;
++			int x = *(int *)ptr - 0x24242424;
+ 			if (x & 0x80808080)
+ 				break;
+ 
+-			x -= 0x5e5e5e5e;
++			x -= 0x5b5b5b5b;
+ 			if (!(x & 0x80808080))
+ 				break;
+ 
+@@ -498,8 +498,15 @@ int h1_headers_to_hdr_list(char *start, const char *stop,
+ 			goto http_msg_ood;
+ 		}
+ 	http_msg_rquri2:
+-		if (likely((unsigned char)(*ptr - 33) <= 93)) /* 33 to 126 included */
++		if (likely((unsigned char)(*ptr - 33) <= 93)) { /* 33 to 126 included */
++			if (*ptr == '#') {
++				if (h1m->err_pos < -1) /* PR_O2_REQBUG_OK not set */
++					goto invalid_char;
++				if (h1m->err_pos == -1) /* PR_O2_REQBUG_OK set: just log */
++					h1m->err_pos = ptr - start + skip;
++			}
+ 			EAT_AND_JUMP_OR_RETURN(ptr, end, http_msg_rquri2, http_msg_ood, state, H1_MSG_RQURI);
++		}
+ 
+ 		if (likely(HTTP_IS_SPHT(*ptr))) {
+ 			sl.rq.u.len = ptr - sl.rq.u.ptr;
+-- 
+2.43.0
+
diff --git a/RHEL-18169_h2-pass-accept-invalid-http-request-request-parser.patch b/RHEL-18169_h2-pass-accept-invalid-http-request-request-parser.patch
new file mode 100644
index 0000000..126e1f4
--- /dev/null
+++ b/RHEL-18169_h2-pass-accept-invalid-http-request-request-parser.patch
@@ -0,0 +1,76 @@
+From f86e994f5fb5851cd6e4f7f6b366e37765014b9f Mon Sep 17 00:00:00 2001
+From: Willy Tarreau <w@1wt.eu>
+Date: Tue, 8 Aug 2023 15:38:28 +0200
+Subject: [PATCH] MINOR: h2: pass accept-invalid-http-request down the request
+ parser
+
+We're adding a new argument "relaxed" to h2_make_htx_request() so that
+we can control its level of acceptance of certain invalid requests at
+the proxy level with "option accept-invalid-http-request". The goal
+will be to add deactivable checks that are still desirable to have by
+default. For now no test is subject to it.
+
+(cherry picked from commit d93a00861d714313faa0395ff9e2acb14b0a2fca)
+ [ad: backported for following fix : BUG/MINOR: h2: reject more chars
+  from the :path pseudo header]
+Signed-off-by: Amaury Denoyelle <adenoyelle@haproxy.com>
+(cherry picked from commit b6be1a4f858eb6602490c192235114c1a163fef9)
+Signed-off-by: Amaury Denoyelle <adenoyelle@haproxy.com>
+(cherry picked from commit 26fa3a285df0748fc79e73e552161268b66fb527)
+Signed-off-by: Amaury Denoyelle <adenoyelle@haproxy.com>
+(cherry picked from commit 014945a1508f43e88ac4e89950fa9037e4fb0679)
+Signed-off-by: Willy Tarreau <w@1wt.eu>
+---
+ include/haproxy/h2.h | 2 +-
+ src/h2.c             | 6 +++++-
+ src/mux_h2.c         | 3 ++-
+ 3 files changed, 8 insertions(+), 3 deletions(-)
+
+diff --git a/include/haproxy/h2.h b/include/haproxy/h2.h
+index 8d2aa9511..4f872b99d 100644
+--- a/include/haproxy/h2.h
++++ b/include/haproxy/h2.h
+@@ -207,7 +207,7 @@ extern struct h2_frame_definition h2_frame_definition[H2_FT_ENTRIES];
+ /* various protocol processing functions */
+ 
+ int h2_parse_cont_len_header(unsigned int *msgf, struct ist *value, unsigned long long *body_len);
+-int h2_make_htx_request(struct http_hdr *list, struct htx *htx, unsigned int *msgf, unsigned long long *body_len);
++int h2_make_htx_request(struct http_hdr *list, struct htx *htx, unsigned int *msgf, unsigned long long *body_len, int relaxed);
+ int h2_make_htx_response(struct http_hdr *list, struct htx *htx, unsigned int *msgf, unsigned long long *body_len, char *upgrade_protocol);
+ int h2_make_htx_trailers(struct http_hdr *list, struct htx *htx);
+ 
+diff --git a/src/h2.c b/src/h2.c
+index e1554642e..94c384111 100644
+--- a/src/h2.c
++++ b/src/h2.c
+@@ -399,8 +399,12 @@ static struct htx_sl *h2_prepare_htx_reqline(uint32_t fields, struct ist *phdr,
+  *
+  * The Cookie header will be reassembled at the end, and for this, the <list>
+  * will be used to create a linked list, so its contents may be destroyed.
++ *
++ * When <relaxed> is non-nul, some non-dangerous checks will be ignored. This
++ * is in order to satisfy "option accept-invalid-http-request" for
++ * interoperability purposes.
+  */
+-int h2_make_htx_request(struct http_hdr *list, struct htx *htx, unsigned int *msgf, unsigned long long *body_len)
++int h2_make_htx_request(struct http_hdr *list, struct htx *htx, unsigned int *msgf, unsigned long long *body_len, int relaxed)
+ {
+ 	struct ist phdr_val[H2_PHDR_NUM_ENTRIES];
+ 	uint32_t fields; /* bit mask of H2_PHDR_FND_* */
+diff --git a/src/mux_h2.c b/src/mux_h2.c
+index 0ab86534c..61fd1a4d2 100644
+--- a/src/mux_h2.c
++++ b/src/mux_h2.c
+@@ -4917,7 +4917,8 @@ static int h2c_decode_headers(struct h2c *h2c, struct buffer *rxbuf, uint32_t *f
+ 	if (h2c->flags & H2_CF_IS_BACK)
+ 		outlen = h2_make_htx_response(list, htx, &msgf, body_len, upgrade_protocol);
+ 	else
+-		outlen = h2_make_htx_request(list, htx, &msgf, body_len);
++		outlen = h2_make_htx_request(list, htx, &msgf, body_len,
++					     !!(((const struct session *)h2c->conn->owner)->fe->options2 & PR_O2_REQBUG_OK));
+ 
+ 	if (outlen < 0 || htx_free_space(htx) < global.tune.maxrewrite) {
+ 		/* too large headers? this is a stream error only */
+-- 
+2.43.0
+
diff --git a/RHEL-18169_h2-reject-special-char-from-pseudo-path-header.patch b/RHEL-18169_h2-reject-special-char-from-pseudo-path-header.patch
new file mode 100644
index 0000000..d5faba6
--- /dev/null
+++ b/RHEL-18169_h2-reject-special-char-from-pseudo-path-header.patch
@@ -0,0 +1,71 @@
+From af232e47e6264122bed3681210b054ff38ec8de8 Mon Sep 17 00:00:00 2001
+From: Willy Tarreau <w@1wt.eu>
+Date: Tue, 8 Aug 2023 15:40:49 +0200
+Subject: [PATCH] BUG/MINOR: h2: reject more chars from the :path pseudo header
+
+This is the h2 version of this previous fix:
+
+    BUG/MINOR: h1: do not accept '#' as part of the URI component
+
+In addition to the current NUL/CR/LF, this will also reject all other
+control chars, the space and '#' from the :path pseudo-header, to avoid
+taking the '#' for a part of the path. It's still possible to fall back
+to the previous behavior using "option accept-invalid-http-request".
+
+This patch modifies the request parser to change the ":path" pseudo header
+validation function with a new one that rejects 0x00-0x1F (control chars),
+space and '#'. This way such chars will be dropped early in the chain, and
+the search for '#' doesn't incur a second pass over the header's value.
+
+This should be progressively backported to stable versions, along with the
+following commits it relies on:
+
+     REGTESTS: http-rules: add accept-invalid-http-request for normalize-uri tests
+     REORG: http: move has_forbidden_char() from h2.c to http.h
+     MINOR: ist: add new function ist_find_range() to find a character range
+     MINOR: http: add new function http_path_has_forbidden_char()
+     MINOR: h2: pass accept-invalid-http-request down the request parser
+
+(cherry picked from commit b3119d4fb4588087e2483a80b01d322683719e29)
+Signed-off-by: Amaury Denoyelle <adenoyelle@haproxy.com>
+(cherry picked from commit 462a8600ce9e478573a957e046b446a7dcffd286)
+Signed-off-by: Amaury Denoyelle <adenoyelle@haproxy.com>
+(cherry picked from commit 648e59e30723b8fd4e71aab02cb679f6ea7446e7)
+Signed-off-by: Amaury Denoyelle <adenoyelle@haproxy.com>
+(cherry picked from commit c8e07f2fd8b5462527f102f7145d6027c0d041da)
+[wt: minor ctx adjustments]
+Signed-off-by: Willy Tarreau <w@1wt.eu>
+---
+ src/h2.c | 15 +++++++++++----
+ 1 file changed, 11 insertions(+), 4 deletions(-)
+
+diff --git a/src/h2.c b/src/h2.c
+index 94c384111..e190c52b5 100644
+--- a/src/h2.c
++++ b/src/h2.c
+@@ -440,11 +440,18 @@ int h2_make_htx_request(struct http_hdr *list, struct htx *htx, unsigned int *ms
+ 		}
+ 
+ 		/* RFC7540#10.3: intermediaries forwarding to HTTP/1 must take care of
+-		 * rejecting NUL, CR and LF characters.
++		 * rejecting NUL, CR and LF characters. For :path we reject all CTL
++		 * chars, spaces, and '#'.
+ 		 */
+-		ctl = ist_find_ctl(list[idx].v);
+-		if (unlikely(ctl) && has_forbidden_char(list[idx].v, ctl))
+-			goto fail;
++		if (phdr == H2_PHDR_IDX_PATH && !relaxed) {
++			ctl = ist_find_range(list[idx].v, 0, '#');
++			if (unlikely(ctl) && http_path_has_forbidden_char(list[idx].v, ctl))
++				goto fail;
++		} else {
++			ctl = ist_find_ctl(list[idx].v);
++			if (unlikely(ctl) && has_forbidden_char(list[idx].v, ctl))
++				goto fail;
++		}
+ 
+ 		if (phdr > 0 && phdr < H2_PHDR_NUM_ENTRIES) {
+ 			/* insert a pseudo header by its index (in phdr) and value (in value) */
+-- 
+2.43.0
+
diff --git a/RHEL-18169_http-add-new-function-http_path_has_forbidden_char.patch b/RHEL-18169_http-add-new-function-http_path_has_forbidden_char.patch
new file mode 100644
index 0000000..bb5837e
--- /dev/null
+++ b/RHEL-18169_http-add-new-function-http_path_has_forbidden_char.patch
@@ -0,0 +1,59 @@
+From 0f57ac20b046b70275192651d7b6c978032e6a36 Mon Sep 17 00:00:00 2001
+From: Willy Tarreau <w@1wt.eu>
+Date: Tue, 8 Aug 2023 15:24:54 +0200
+Subject: [PATCH] MINOR: http: add new function http_path_has_forbidden_char()
+
+As its name implies, this function checks if a path component has any
+forbidden headers starting at the designated location. The goal is to
+seek from the result of a successful ist_find_range() for more precise
+chars. Here we're focusing on 0x00-0x1F, 0x20 and 0x23 to make sure
+we're not too strict at this point.
+
+(cherry picked from commit 30f58f4217d585efeac3d85cb1b695ba53b7760b)
+ [ad: backported for following fix : BUG/MINOR: h2: reject more chars
+  from the :path pseudo header]
+Signed-off-by: Amaury Denoyelle <adenoyelle@haproxy.com>
+(cherry picked from commit b491940181a88bb6c69ab2afc24b93a50adfa67c)
+Signed-off-by: Amaury Denoyelle <adenoyelle@haproxy.com>
+(cherry picked from commit f7666e5e43ce63e804ebffdf224d92cfd3367282)
+Signed-off-by: Amaury Denoyelle <adenoyelle@haproxy.com>
+(cherry picked from commit c699bb17b7e334c9d56e829422e29e5a204615ec)
+[wt: adj minor ctx in http.h]
+Signed-off-by: Willy Tarreau <w@1wt.eu>
+---
+ include/haproxy/http.h | 19 +++++++++++++++++++
+ 1 file changed, 19 insertions(+)
+
+diff --git a/include/haproxy/http.h b/include/haproxy/http.h
+index 8a86cb6e9..e8c5b850f 100644
+--- a/include/haproxy/http.h
++++ b/include/haproxy/http.h
+@@ -134,6 +134,25 @@ static inline enum http_etag_type http_get_etag_type(const struct ist etag)
+ 	return ETAG_INVALID;
+ }
+ 
++/* Looks into <ist> for forbidden characters for :path values (0x00..0x1F,
++ * 0x20, 0x23), starting at pointer <start> which must be within <ist>.
++ * Returns non-zero if such a character is found, 0 otherwise. When run on
++ * unlikely header match, it's recommended to first check for the presence
++ * of control chars using ist_find_ctl().
++ */
++static inline int http_path_has_forbidden_char(const struct ist ist, const char *start)
++{
++	do {
++		if ((uint8_t)*start <= 0x23) {
++			if ((uint8_t)*start < 0x20)
++				return 1;
++			if ((1U << ((uint8_t)*start & 0x1F)) & ((1<<3) | (1<<0)))
++				return 1;
++		}
++		start++;
++	} while (start < istend(ist));
++	return 0;
++}
+ 
+ #endif /* _HAPROXY_HTTP_H */
+ 
+-- 
+2.43.0
+
diff --git a/RHEL-18169_ist-add-new-function-ist_find_range.patch b/RHEL-18169_ist-add-new-function-ist_find_range.patch
new file mode 100644
index 0000000..5040292
--- /dev/null
+++ b/RHEL-18169_ist-add-new-function-ist_find_range.patch
@@ -0,0 +1,86 @@
+From edcff741698c9519dc44f3aa13de421baad7ff43 Mon Sep 17 00:00:00 2001
+From: Willy Tarreau <w@1wt.eu>
+Date: Tue, 8 Aug 2023 15:23:19 +0200
+Subject: [PATCH] MINOR: ist: add new function ist_find_range() to find a
+ character range
+
+This looks up the character range <min>..<max> in the input string and
+returns a pointer to the first one found. It's essentially the equivalent
+of ist_find_ctl() in that it searches by 32 or 64 bits at once, but deals
+with a range.
+
+(cherry picked from commit 197668de975e495f0c0f0e4ff51b96203fa9842d)
+ [ad: backported for following fix : BUG/MINOR: h2: reject more chars
+ from the :path pseudo header]
+Signed-off-by: Amaury Denoyelle <adenoyelle@haproxy.com>
+(cherry picked from commit 451ac6628acc4b9eed3260501a49c60d4e4d4e55)
+Signed-off-by: Amaury Denoyelle <adenoyelle@haproxy.com>
+(cherry picked from commit 3468f7f8e04c9c5ca5c985c7511e05e78fe1eded)
+Signed-off-by: Amaury Denoyelle <adenoyelle@haproxy.com>
+(cherry picked from commit b375df60341c7f7a4904c2d8041a09c66115c754)
+Signed-off-by: Willy Tarreau <w@1wt.eu>
+---
+ include/import/ist.h | 47 ++++++++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 47 insertions(+)
+
+diff --git a/include/import/ist.h b/include/import/ist.h
+index 539a27d26..31566b105 100644
+--- a/include/import/ist.h
++++ b/include/import/ist.h
+@@ -746,6 +746,53 @@ static inline const char *ist_find_ctl(const struct ist ist)
+ 	return NULL;
+ }
+ 
++/* Returns a pointer to the first character found <ist> that belongs to the
++ * range [min:max] inclusive, or NULL if none is present. The function is
++ * optimized for strings having no such chars by processing up to sizeof(long)
++ * bytes at once on architectures supporting efficient unaligned accesses.
++ * Despite this it is not very fast (~0.43 byte/cycle) and should mostly be
++ * used on low match probability when it can save a call to a much slower
++ * function. Will not work for characters 0x80 and above. It's optimized for
++ * min and max to be known at build time.
++ */
++static inline const char *ist_find_range(const struct ist ist, unsigned char min, unsigned char max)
++{
++	const union { unsigned long v; } __attribute__((packed)) *u;
++	const char *curr = (void *)ist.ptr - sizeof(long);
++	const char *last = curr + ist.len;
++	unsigned long l1, l2;
++
++	/* easier with an exclusive boundary */
++	max++;
++
++	do {
++		curr += sizeof(long);
++		if (curr > last)
++			break;
++		u = (void *)curr;
++		/* add 0x<min><min><min><min>..<min> then subtract
++		 * 0x<max><max><max><max>..<max> to the value to generate a
++		 * carry in the lower byte if the byte contains a lower value.
++		 * If we generate a bit 7 that was not there, it means the byte
++		 * was min..max.
++		 */
++		l2  = u->v;
++		l1  = ~l2 & ((~0UL / 255) * 0x80); /* 0x808080...80 */
++		l2 += (~0UL / 255) * min;          /* 0x<min><min>..<min> */
++		l2 -= (~0UL / 255) * max;          /* 0x<max><max>..<max> */
++	} while ((l1 & l2) == 0);
++
++	last += sizeof(long);
++	if (__builtin_expect(curr < last, 0)) {
++		do {
++			if ((unsigned char)(*curr - min) < (unsigned char)(max - min))
++				return curr;
++			curr++;
++		} while (curr < last);
++	}
++	return NULL;
++}
++
+ /* looks for first occurrence of character <chr> in string <ist> and returns
+  * the tail of the string starting with this character, or (ist.end,0) if not
+  * found.
+-- 
+2.43.0
+
diff --git a/RHEL-18169_regtest-add-accept-invalid-http-request.patch b/RHEL-18169_regtest-add-accept-invalid-http-request.patch
new file mode 100644
index 0000000..aae2a08
--- /dev/null
+++ b/RHEL-18169_regtest-add-accept-invalid-http-request.patch
@@ -0,0 +1,46 @@
+From c7492154ef07d6c08aa1eb52502697bbc3f42a69 Mon Sep 17 00:00:00 2001
+From: Willy Tarreau <w@1wt.eu>
+Date: Tue, 8 Aug 2023 19:52:45 +0200
+Subject: [PATCH] REGTESTS: http-rules: add accept-invalid-http-request for
+ normalize-uri tests
+
+We'll soon block the '#' by default so let's prepare the test to continue
+to work.
+
+(cherry picked from commit 069d0e221e58a46119d7c049bb07fa4bcb8d0075)
+ [ad: backported for following fix : BUG/MINOR: h2: reject more chars
+  from the :path pseudo header]
+Signed-off-by: Amaury Denoyelle <adenoyelle@haproxy.com>
+(cherry picked from commit 1660481fab69856a39ac44cf88b76cdbcc0ea954)
+Signed-off-by: Amaury Denoyelle <adenoyelle@haproxy.com>
+(cherry picked from commit 90d0300cea6cda18a4e20369f4dc0b4c4783d6c9)
+Signed-off-by: Amaury Denoyelle <adenoyelle@haproxy.com>
+(cherry picked from commit 65849396fd6f192d9f14e81702c6c3851e580345)
+Signed-off-by: Willy Tarreau <w@1wt.eu>
+---
+ reg-tests/http-rules/normalize_uri.vtc | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/reg-tests/http-rules/normalize_uri.vtc b/reg-tests/http-rules/normalize_uri.vtc
+index 6a1dc31dc..56acf2cef 100644
+--- a/reg-tests/http-rules/normalize_uri.vtc
++++ b/reg-tests/http-rules/normalize_uri.vtc
+@@ -127,6 +127,7 @@ haproxy h1 -conf {
+ 
+     frontend fe_fragment_strip
+         bind "fd@${fe_fragment_strip}"
++        option accept-invalid-http-request
+ 
+         http-request set-var(txn.before) url
+         http-request normalize-uri fragment-strip
+@@ -139,6 +140,7 @@ haproxy h1 -conf {
+ 
+     frontend fe_fragment_encode
+         bind "fd@${fe_fragment_encode}"
++        option accept-invalid-http-request
+ 
+         http-request set-var(txn.before) url
+         http-request normalize-uri fragment-encode
+-- 
+2.43.0
+
diff --git a/RHEL-7736_http-reject-empty-content-length-header.patch b/RHEL-7736_http-reject-empty-content-length-header.patch
new file mode 100644
index 0000000..e30c9f3
--- /dev/null
+++ b/RHEL-7736_http-reject-empty-content-length-header.patch
@@ -0,0 +1,275 @@
+From ba9afd2774c03e434165475b537d0462801f49bb Mon Sep 17 00:00:00 2001
+From: Willy Tarreau <w@1wt.eu>
+Date: Wed, 9 Aug 2023 08:32:48 +0200
+Subject: [PATCH] BUG/MAJOR: http: reject any empty content-length header value
+
+The content-length header parser has its dedicated function, in order
+to take extreme care about invalid, unparsable, or conflicting values.
+But there's a corner case in it, by which it stops comparing values
+when reaching the end of the header. This has for a side effect that
+an empty value or a value that ends with a comma does not deserve
+further analysis, and it acts as if the header was absent.
+
+While this is not necessarily a problem for the value ending with a
+comma as it will be cause a header folding and will disappear, it is a
+problem for the first isolated empty header because this one will not
+be recontructed when next ones are seen, and will be passed as-is to the
+backend server. A vulnerable HTTP/1 server hosted behind haproxy that
+would just use this first value as "0" and ignore the valid one would
+then not be protected by haproxy and could be attacked this way, taking
+the payload for an extra request.
+
+In field the risk depends on the server. Most commonly used servers
+already have safe content-length parsers, but users relying on haproxy
+to protect a known-vulnerable server might be at risk (and the risk of
+a bug even in a reputable server should never be dismissed).
+
+A configuration-based work-around consists in adding the following rule
+in the frontend, to explicitly reject requests featuring an empty
+content-length header that would have not be folded into an existing
+one:
+
+    http-request deny if { hdr_len(content-length) 0 }
+
+The real fix consists in adjusting the parser so that it always expects a
+value at the beginning of the header or after a comma. It will now reject
+requests and responses having empty values anywhere in the C-L header.
+
+This needs to be backported to all supported versions. Note that the
+modification was made to functions h1_parse_cont_len_header() and
+http_parse_cont_len_header(). Prior to 2.8 the latter was in
+h2_parse_cont_len_header(). One day the two should be refused but the
+former is also used by Lua.
+
+The HTTP messaging reg-tests were completed to test these cases.
+
+Thanks to Ben Kallus of Dartmouth College and Narf Industries for
+reporting this! (this is in GH #2237).
+
+(cherry picked from commit 6492f1f29d738457ea9f382aca54537f35f9d856)
+Signed-off-by: Amaury Denoyelle <adenoyelle@haproxy.com>
+(cherry picked from commit a32f99f6f991d123ea3e307bf8aa63220836d365)
+Signed-off-by: Amaury Denoyelle <adenoyelle@haproxy.com>
+(cherry picked from commit 65921ee12d88e9fb1fa9f6cd8198fd64b3a3f37f)
+Signed-off-by: Amaury Denoyelle <adenoyelle@haproxy.com>
+(cherry picked from commit d17c50010d591d1c070e1cb0567a06032d8869e9)
+[wt: applied to h2_parse_cont_len_header() in src/h2.c instead]
+Signed-off-by: Willy Tarreau <w@1wt.eu>
+---
+ reg-tests/http-messaging/h1_to_h1.vtc | 26 ++++++++++++
+ reg-tests/http-messaging/h2_to_h1.vtc | 60 +++++++++++++++++++++++++++
+ src/h1.c                              | 20 +++++++--
+ src/h2.c                              | 20 +++++++--
+ 4 files changed, 120 insertions(+), 6 deletions(-)
+
+diff --git a/reg-tests/http-messaging/h1_to_h1.vtc b/reg-tests/http-messaging/h1_to_h1.vtc
+index c7d00858e..603c03210 100644
+--- a/reg-tests/http-messaging/h1_to_h1.vtc
++++ b/reg-tests/http-messaging/h1_to_h1.vtc
+@@ -275,3 +275,29 @@ client c3h1 -connect ${h1_feh1_sock} {
+ 	# arrive here.
+ 	expect_close
+ } -run
++
++client c4h1 -connect ${h1_feh1_sock} {
++	# this request is invalid and advertises an invalid C-L ending with an
++        # empty value, which results in a stream error.
++	txreq \
++	  -req "GET" \
++	  -url "/test31.html" \
++          -hdr "content-length: 0," \
++          -hdr "connection: close"
++	rxresp
++	expect resp.status == 400
++	expect_close
++} -run
++
++client c5h1 -connect ${h1_feh1_sock} {
++	# this request is invalid and advertises an empty C-L, which results
++	# in a stream error.
++	txreq \
++	  -req "GET" \
++	  -url "/test41.html" \
++          -hdr "content-length:" \
++          -hdr "connection: close"
++	rxresp
++	expect resp.status == 400
++	expect_close
++} -run
+diff --git a/reg-tests/http-messaging/h2_to_h1.vtc b/reg-tests/http-messaging/h2_to_h1.vtc
+index 0d2b1e5f2..ec7a7c123 100644
+--- a/reg-tests/http-messaging/h2_to_h1.vtc
++++ b/reg-tests/http-messaging/h2_to_h1.vtc
+@@ -10,6 +10,8 @@ barrier b1 cond 2 -cyclic
+ barrier b2 cond 2 -cyclic
+ barrier b3 cond 2 -cyclic
+ barrier b4 cond 2 -cyclic
++barrier b5 cond 2 -cyclic
++barrier b6 cond 2 -cyclic
+ 
+ server s1 {
+ 	rxreq
+@@ -31,6 +33,12 @@ server s1 {
+ 
+ 	barrier b4 sync
+ 	# the next request is never received
++
++	barrier b5 sync
++	# the next request is never received
++
++	barrier b6 sync
++	# the next request is never received
+ } -repeat 2 -start
+ 
+ haproxy h1 -conf {
+@@ -121,6 +129,32 @@ client c1h2 -connect ${h1_feh2_sock} {
+ 		txdata -data "this is sent and ignored"
+ 		rxrst
+ 	} -run
++
++	# fifth request is invalid and advertises an invalid C-L ending with an
++        # empty value, which results in a stream error.
++	stream 9 {
++		barrier b5 sync
++		txreq \
++		  -req "GET" \
++		  -scheme "https" \
++		  -url "/test5.html" \
++		  -hdr "content-length" "0," \
++		  -nostrend
++		rxrst
++	} -run
++
++	# sixth request is invalid and advertises an empty C-L, which results
++	# in a stream error.
++	stream 11 {
++		barrier b6 sync
++		txreq \
++		  -req "GET" \
++		  -scheme "https" \
++		  -url "/test6.html" \
++		  -hdr "content-length" "" \
++		  -nostrend
++		rxrst
++	} -run
+ } -run
+ 
+ # HEAD requests : don't work well yet
+@@ -263,4 +297,30 @@ client c3h2 -connect ${h1_feh2_sock} {
+ 		txdata -data "this is sent and ignored"
+ 		rxrst
+ 	} -run
++
++	# fifth request is invalid and advertises invalid C-L ending with an
++        # empty value, which results in a stream error.
++	stream 9 {
++		barrier b5 sync
++		txreq \
++		  -req "POST" \
++		  -scheme "https" \
++		  -url "/test25.html" \
++		  -hdr "content-length" "0," \
++		  -nostrend
++		rxrst
++	} -run
++
++	# sixth request is invalid and advertises an empty C-L, which results
++	# in a stream error.
++	stream 11 {
++		barrier b6 sync
++		txreq \
++		  -req "POST" \
++		  -scheme "https" \
++		  -url "/test26.html" \
++		  -hdr "content-length" "" \
++		  -nostrend
++		rxrst
++	} -run
+ } -run
+diff --git a/src/h1.c b/src/h1.c
+index 73de48be0..eeda311b7 100644
+--- a/src/h1.c
++++ b/src/h1.c
+@@ -34,13 +34,20 @@ int h1_parse_cont_len_header(struct h1m *h1m, struct ist *value)
+ 	int not_first = !!(h1m->flags & H1_MF_CLEN);
+ 	struct ist word;
+ 
+-	word.ptr = value->ptr - 1; // -1 for next loop's pre-increment
++	word.ptr = value->ptr;
+ 	e = value->ptr + value->len;
+ 
+-	while (++word.ptr < e) {
++	while (1) {
++		if (word.ptr >= e) {
++			/* empty header or empty value */
++			goto fail;
++		}
++
+ 		/* skip leading delimiter and blanks */
+-		if (unlikely(HTTP_IS_LWS(*word.ptr)))
++		if (unlikely(HTTP_IS_LWS(*word.ptr))) {
++			word.ptr++;
+ 			continue;
++		}
+ 
+ 		/* digits only now */
+ 		for (cl = 0, n = word.ptr; n < e; n++) {
+@@ -79,6 +86,13 @@ int h1_parse_cont_len_header(struct h1m *h1m, struct ist *value)
+ 		h1m->flags |= H1_MF_CLEN;
+ 		h1m->curr_len = h1m->body_len = cl;
+ 		*value = word;
++
++		/* Now either n==e and we're done, or n points to the comma,
++		 * and we skip it and continue.
++		 */
++		if (n++ == e)
++			break;
++
+ 		word.ptr = n;
+ 	}
+ 	/* here we've reached the end with a single value or a series of
+diff --git a/src/h2.c b/src/h2.c
+index dd1f7d9b6..e1554642e 100644
+--- a/src/h2.c
++++ b/src/h2.c
+@@ -80,13 +80,20 @@ int h2_parse_cont_len_header(unsigned int *msgf, struct ist *value, unsigned lon
+ 	int not_first = !!(*msgf & H2_MSGF_BODY_CL);
+ 	struct ist word;
+ 
+-	word.ptr = value->ptr - 1; // -1 for next loop's pre-increment
++	word.ptr = value->ptr;
+ 	e = value->ptr + value->len;
+ 
+-	while (++word.ptr < e) {
++	while (1) {
++		if (word.ptr >= e) {
++			/* empty header or empty value */
++			goto fail;
++		}
++
+ 		/* skip leading delimiter and blanks */
+-		if (unlikely(HTTP_IS_LWS(*word.ptr)))
++		if (unlikely(HTTP_IS_LWS(*word.ptr))) {
++			word.ptr++;
+ 			continue;
++		}
+ 
+ 		/* digits only now */
+ 		for (cl = 0, n = word.ptr; n < e; n++) {
+@@ -125,6 +132,13 @@ int h2_parse_cont_len_header(unsigned int *msgf, struct ist *value, unsigned lon
+ 		*msgf |= H2_MSGF_BODY_CL;
+ 		*body_len = cl;
+ 		*value = word;
++
++		/* Now either n==e and we're done, or n points to the comma,
++		 * and we skip it and continue.
++		 */
++		if (n++ == e)
++			break;
++
+ 		word.ptr = n;
+ 	}
+ 	/* here we've reached the end with a single value or a series of
+-- 
+2.43.0
+
diff --git a/halog.1 b/halog.1
new file mode 100644
index 0000000..39a9711
--- /dev/null
+++ b/halog.1
@@ -0,0 +1,108 @@
+.TH HALOG "1" "July 2013" "halog" "User Commands"
+.SH NAME
+halog \- HAProxy log statistics reporter
+.SH SYNOPSIS
+.B halog
+[\fI-h|--help\fR]
+.br
+.B halog
+[\fIoptions\fR] <LOGFILE
+.SH DESCRIPTION
+.B halog
+reads HAProxy log data from stdin and extracts and displays lines matching
+user-specified criteria.
+.SH OPTIONS
+.SS Input filters \fR(several filters may be combined)
+.TP
+\fB\-H\fR
+Only match lines containing HTTP logs (ignore TCP)
+.TP
+\fB\-E\fR
+Only match lines without any error (no 5xx status)
+.TP
+\fB\-e\fR
+Only match lines with errors (status 5xx or negative)
+.TP
+\fB\-rt\fR|\fB\-RT\fR <time>
+Only match response times larger|smaller than <time>
+.TP
+\fB\-Q\fR|\fB\-QS\fR
+Only match queued requests (any queue|server queue)
+.TP
+\fB\-tcn\fR|\fB\-TCN\fR <code>
+Only match requests with/without termination code <code>
+.TP
+\fB\-hs\fR|\fB\-HS\fR <[min][:][max]>
+Only match requests with HTTP status codes within/not within min..max. Any of
+them may be omitted. Exact code is checked for if no ':' is specified.
+.SS
+Modifiers
+.TP
+\fB\-v\fR
+Invert the input filtering condition
+.TP
+\fB\-q\fR
+Don't report errors/warnings
+.TP
+\fB\-m\fR <lines>
+Limit output to the first <lines> lines
+.SS
+Output filters \fR\- only one may be used at a time
+.TP
+\fB\-c\fR
+Only report the number of lines that would have been printed
+.TP
+\fB\-pct\fR
+Output connect and response times percentiles
+.TP
+\fB\-st\fR
+Output number of requests per HTTP status code
+.TP
+\fB\-cc\fR
+Output number of requests per cookie code (2 chars)
+.TP
+\fB\-tc\fR
+Output number of requests per termination code (2 chars)
+.TP
+\fB\-srv\fR
+Output statistics per server (time, requests, errors)
+.TP
+\fB\-u\fR*
+Output statistics per URL (time, requests, errors)
+.br
+Additional characters indicate the output sorting key:
+.RS
+.TP
+\fB\-u\fR
+URL
+.TP
+\fB\-uc\fR
+Request count
+.TP
+\fB\-ue\fR
+Error count
+.TP
+\fB\-ua\fR
+Average response time
+.TP
+\fB\-ut\fR
+Average total time
+.TP
+\fB\-uao\fR, \fB\-uto\fR
+Average times computed on valid ('OK') requests
+.TP
+\fB\-uba\fR
+Average bytes returned
+.TP
+\fB\-ubt\fR
+Total bytes returned
+.RE
+.SH "SEE ALSO"
+.BR haproxy (1)
+.SH AUTHOR
+.PP
+\fBhalog\fR was written by Willy Tarreau <w@1wt.eu> and is part of \fBhaproxy\fR(1).
+.PP
+This  manual page was written by Apollon Oikonomopoulos <apoikos@gmail.com> for the Debian project (but may
+be used by others).
+
diff --git a/haproxy.cfg b/haproxy.cfg
new file mode 100644
index 0000000..91c125d
--- /dev/null
+++ b/haproxy.cfg
@@ -0,0 +1,90 @@
+#---------------------------------------------------------------------
+# Example configuration for a possible web application.  See the
+# full configuration options online.
+#
+#   https://www.haproxy.org/download/1.8/doc/configuration.txt
+#
+#---------------------------------------------------------------------
+
+#---------------------------------------------------------------------
+# Global settings
+#---------------------------------------------------------------------
+global
+    # to have these messages end up in /var/log/haproxy.log you will
+    # need to:
+    #
+    # 1) configure syslog to accept network log events.  This is done
+    #    by adding the '-r' option to the SYSLOGD_OPTIONS in
+    #    /etc/sysconfig/syslog
+    #
+    # 2) configure local2 events to go to the /var/log/haproxy.log
+    #   file. A line like the following can be added to
+    #   /etc/sysconfig/syslog
+    #
+    #    local2.*                       /var/log/haproxy.log
+    #
+    log         127.0.0.1 local2
+
+    chroot      /var/lib/haproxy
+    pidfile     /var/run/haproxy.pid
+    maxconn     4000
+    user        haproxy
+    group       haproxy
+    daemon
+
+    # turn on stats unix socket
+    stats socket /var/lib/haproxy/stats
+
+    # utilize system-wide crypto-policies
+    ssl-default-bind-ciphers PROFILE=SYSTEM
+    ssl-default-server-ciphers PROFILE=SYSTEM
+
+#---------------------------------------------------------------------
+# common defaults that all the 'listen' and 'backend' sections will
+# use if not designated in their block
+#---------------------------------------------------------------------
+defaults
+    mode                    http
+    log                     global
+    option                  httplog
+    option                  dontlognull
+    option http-server-close
+    option forwardfor       except 127.0.0.0/8
+    option                  redispatch
+    retries                 3
+    timeout http-request    10s
+    timeout queue           1m
+    timeout connect         10s
+    timeout client          1m
+    timeout server          1m
+    timeout http-keep-alive 10s
+    timeout check           10s
+    maxconn                 3000
+
+#---------------------------------------------------------------------
+# main frontend which proxys to the backends
+#---------------------------------------------------------------------
+frontend main
+    bind *:5000
+    acl url_static       path_beg       -i /static /images /javascript /stylesheets
+    acl url_static       path_end       -i .jpg .gif .png .css .js
+
+    use_backend static          if url_static
+    default_backend             app
+
+#---------------------------------------------------------------------
+# static backend for serving up images, stylesheets and such
+#---------------------------------------------------------------------
+backend static
+    balance     roundrobin
+    server      static 127.0.0.1:4331 check
+
+#---------------------------------------------------------------------
+# round robin balancing between the various backends
+#---------------------------------------------------------------------
+backend app
+    balance     roundrobin
+    server  app1 127.0.0.1:5001 check
+    server  app2 127.0.0.1:5002 check
+    server  app3 127.0.0.1:5003 check
+    server  app4 127.0.0.1:5004 check
diff --git a/haproxy.logrotate b/haproxy.logrotate
new file mode 100644
index 0000000..96544e0
--- /dev/null
+++ b/haproxy.logrotate
@@ -0,0 +1,12 @@
+/var/log/haproxy.log {
+    daily
+    rotate 10
+    missingok
+    notifempty
+    compress
+    sharedscripts
+    postrotate
+        /bin/kill -HUP `cat /var/run/syslogd.pid 2> /dev/null` 2> /dev/null || true
+        /bin/kill -HUP `cat /var/run/rsyslogd.pid 2> /dev/null` 2> /dev/null || true
+    endscript
+}
diff --git a/haproxy.service b/haproxy.service
new file mode 100644
index 0000000..a5524de
--- /dev/null
+++ b/haproxy.service
@@ -0,0 +1,18 @@
+[Unit]
+Description=HAProxy Load Balancer
+After=network-online.target
+Wants=network-online.target
+
+[Service]
+EnvironmentFile=-/etc/sysconfig/haproxy
+Environment="CONFIG=/etc/haproxy/haproxy.cfg" "PIDFILE=/run/haproxy.pid" "CFGDIR=/etc/haproxy/conf.d"
+ExecStartPre=/usr/sbin/haproxy -f $CONFIG -f $CFGDIR -c -q $OPTIONS
+ExecStart=/usr/sbin/haproxy -Ws -f $CONFIG -f $CFGDIR -p $PIDFILE $OPTIONS
+ExecReload=/usr/sbin/haproxy -f $CONFIG -f $CFGDIR -c -q $OPTIONS
+ExecReload=/bin/kill -USR2 $MAINPID
+KillMode=mixed
+SuccessExitStatus=143
+Type=notify
+
+[Install]
+WantedBy=multi-user.target
diff --git a/haproxy.spec b/haproxy.spec
new file mode 100644
index 0000000..09500d2
--- /dev/null
+++ b/haproxy.spec
@@ -0,0 +1,729 @@
+%define haproxy_user    haproxy
+%define haproxy_group   %{haproxy_user}
+%define haproxy_homedir %{_localstatedir}/lib/haproxy
+%define haproxy_confdir %{_sysconfdir}/haproxy
+%define haproxy_datadir %{_datadir}/haproxy
+
+%global _hardened_build 1
+
+Name:           haproxy
+Version:        2.4.22
+Release:        3%{?dist}
+Summary:        HAProxy reverse proxy for high availability environments
+
+License:        GPLv2+
+
+URL:            http://www.haproxy.org/
+Source0:        %{url}/download/2.4/src/haproxy-%{version}.tar.gz
+Source1:        %{name}.service
+Source2:        %{name}.cfg
+Source3:        %{name}.logrotate
+Source4:        %{name}.sysconfig
+Source5:        %{name}.sysusers
+Source6:        halog.1
+
+Patch0:	RHEL-7736_http-reject-empty-content-length-header.patch
+Patch1: RHEL-18169_h1-reject-special-char-URI-path-component.patch
+Patch2: RHEL-18169_h2-pass-accept-invalid-http-request-request-parser.patch
+Patch3: RHEL-18169_h2-reject-special-char-from-pseudo-path-header.patch
+Patch4: RHEL-18169_http-add-new-function-http_path_has_forbidden_char.patch
+Patch5: RHEL-18169_ist-add-new-function-ist_find_range.patch
+Patch6: RHEL-18169_regtest-add-accept-invalid-http-request.patch
+
+BuildRequires:  gcc
+BuildRequires:  lua-devel
+BuildRequires:  pcre2-devel
+BuildRequires:  openssl-devel
+BuildRequires:  systemd-devel
+BuildRequires:  systemd
+BuildRequires:  systemd-rpm-macros
+BuildRequires:  make
+
+Requires(pre):  shadow-utils
+%{?systemd_requires}
+
+%description
+HAProxy is a TCP/HTTP reverse proxy which is particularly suited for high
+availability environments. Indeed, it can:
+ - route HTTP requests depending on statically assigned cookies
+ - spread load among several servers while assuring server persistence
+   through the use of HTTP cookies
+ - switch to backup servers in the event a main one fails
+ - accept connections to special ports dedicated to service monitoring
+ - stop accepting connections without breaking existing ones
+ - add, modify, and delete HTTP headers in both directions
+ - block requests matching particular patterns
+ - report detailed status to authenticated users from a URI
+   intercepted from the application
+
+%prep
+%setup -q
+%patch -P0 -p1
+%patch -P1 -p1
+%patch -P2 -p1
+%patch -P3 -p1
+%patch -P4 -p1
+%patch -P5 -p1
+%patch -P6 -p1
+
+%build
+regparm_opts=
+%ifarch %ix86 x86_64
+regparm_opts="USE_REGPARM=1"
+%endif
+
+%{__make} %{?_smp_mflags} CPU="generic" TARGET="linux-glibc" USE_OPENSSL=1 USE_PCRE2=1 USE_SLZ=1 USE_LUA=1 USE_CRYPT_H=1 USE_SYSTEMD=1 USE_LINUX_TPROXY=1 USE_GETADDRINFO=1 USE_PROMEX=1 ${regparm_opts} ADDINC="%{build_cflags}" ADDLIB="%{build_ldflags}"
+
+%{__make} admin/halog/halog ADDINC="%{build_cflags}" ADDLIB="%{build_ldflags}"
+
+pushd admin/iprange
+%{__make} OPTIMIZE="%{build_cflags}" LDFLAGS="%{build_ldflags}"
+popd
+
+%install
+%{__make} install-bin DESTDIR=%{buildroot} PREFIX=%{_prefix} TARGET="linux2628"
+%{__make} install-man DESTDIR=%{buildroot} PREFIX=%{_prefix}
+
+%{__install} -p -D -m 0644 %{SOURCE1} %{buildroot}%{_unitdir}/%{name}.service
+%{__install} -p -D -m 0644 %{SOURCE2} %{buildroot}%{haproxy_confdir}/%{name}.cfg
+%{__install} -p -D -m 0644 %{SOURCE3} %{buildroot}%{_sysconfdir}/logrotate.d/%{name}
+%{__install} -p -D -m 0644 %{SOURCE4} %{buildroot}%{_sysconfdir}/sysconfig/%{name}
+%{__install} -p -D -m 0644 %{SOURCE5} %{buildroot}%{_sysusersdir}/%{name}.conf
+%{__install} -p -D -m 0644 %{SOURCE6} %{buildroot}%{_mandir}/man1/halog.1
+%{__install} -d -m 0755 %{buildroot}%{haproxy_homedir}
+%{__install} -d -m 0755 %{buildroot}%{haproxy_datadir}
+%{__install} -d -m 0755 %{buildroot}%{haproxy_confdir}/conf.d
+%{__install} -d -m 0755 %{buildroot}%{_bindir}
+%{__install} -p -m 0755 ./admin/halog/halog %{buildroot}%{_bindir}/halog
+%{__install} -p -m 0755 ./admin/iprange/iprange %{buildroot}%{_bindir}/iprange
+%{__install} -p -m 0755 ./admin/iprange/ip6range %{buildroot}%{_bindir}/ip6range
+
+for httpfile in $(find ./examples/errorfiles/ -type f) 
+do
+    %{__install} -p -m 0644 $httpfile %{buildroot}%{haproxy_datadir}
+done
+
+%{__rm} -rf ./examples/errorfiles/
+
+find ./examples/* -type f ! -name "*.cfg" -exec %{__rm} -f "{}" \;
+
+for textfile in $(find ./ -type f -name '*.txt')
+do
+    %{__mv} $textfile $textfile.old
+    iconv --from-code ISO8859-1 --to-code UTF-8 --output $textfile $textfile.old
+    %{__rm} -f $textfile.old
+done
+
+%pre
+%sysusers_create_compat %{SOURCE5}
+
+%post
+%systemd_post %{name}.service
+
+%preun
+%systemd_preun %{name}.service
+
+%postun
+%systemd_postun_with_restart %{name}.service
+
+%files
+%doc doc/* examples/*
+%doc CHANGELOG README ROADMAP VERSION
+%license LICENSE
+%dir %{haproxy_homedir}
+%dir %{haproxy_confdir}
+%dir %{haproxy_confdir}/conf.d
+%dir %{haproxy_datadir}
+%{haproxy_datadir}/*
+%config(noreplace) %{haproxy_confdir}/%{name}.cfg
+%config(noreplace) %{_sysconfdir}/logrotate.d/%{name}
+%config(noreplace) %{_sysconfdir}/sysconfig/%{name}
+%{_unitdir}/%{name}.service
+%{_sbindir}/%{name}
+%{_bindir}/halog
+%{_bindir}/iprange
+%{_bindir}/ip6range
+%{_mandir}/man1/*
+%{_sysusersdir}/%{name}.conf
+
+%changelog
+* Tue Jan 23 2024 Ryan O'Hara <rohara@redhat.com> - 2.4.22-3
+- Reject "#" as part of URI path component (CVE-2023-45539, RHEL-18169)
+
+* Wed Jan 17 2024 Ryan O'Hara <rohara@redhat.com> - 2.4.22-2
+- Reject any empty content-length header value (CVE-2023-40225, RHEL-7736)
+
+* Tue Jun 06 2023 Ryan O'Hara <rohara@redhat.com> - 2.4.22-1
+- Update to 2.4.22 (#2196530)
+
+* Tue May 02 2023 Ryan O'Hara <rohara@redhat.com> - 2.4.17-7
+- Fix uninitizalized resevered bytes (CVE-2023-0836, #2180861)
+
+* Mon Feb 27 2023 Ryan O'Hara <rohara@redhat.com> - 2.4.17-6
+- Reject empty http header field names (CVE-2023-25725, #2169510)
+
+* Mon Feb 27 2023 Ryan O'Hara <rohara@redhat.com> - 2.4.17-5
+- Refuse interim responses with end-stream flag set (CVE-2023-0056, #2161140)
+
+* Wed Nov 30 2022 Ryan O'Hara <rohara@redhat.com> - 2.4.17-4
+- Use systemd-sysusers for user/group creation (#2095422)
+
+* Mon Jul 25 2022 Ryan O'Hara <rohara@redhat.com> - 2.4.17-3
+- Fix changelog and rebuild
+
+* Wed Jun 08 2022 Ryan O'Hara <rohara@redhat.com> - 2.4.17-2
+- Add configuration directory and update systemd unit file (#2093482)
+
+* Wed May 25 2022 Ryan O'Hara <rohara@redhat.com> - 2.4.17-1
+- Update to 2.4.17 #(2088532)
+- Fix unbound loop when Set-Cookie2 header is present (#2070448)
+
+* Wed Oct 13 2021 Ryan O'Hara <rohara@redhat.com> - 2.4.7-1
+- Update to 2.4.7 (#1966688)
+- Fix domain parts in :scheme and :path fields (CVE-2021-39240, #1998196)
+- Fix spaces in the :method field (CVE-2021-39241, #1998198)
+- Fix mismatch between :authority and Host fields (CVE-2021-39242, #1998200)
+- Fix request smuggling attack or response splitting (CVE-2021-40346, #2000621)
+
+* Tue Aug 17 2021 Ryan O'Hara <rohara@redhat.com> - 2.4.3-1
+- Update to 2.4.3 (#1966688)
+
+* Tue Aug 10 2021 Ryan O'Hara <rohara@redhat.com> - 2.4.2-8
+- Add gating tests (#1966688)
+
+* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 2.4.2-7
+- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
+  Related: rhbz#1991688
+
+* Sat Aug 07 2021 Ryan O'Hara <rohara@redhat.com> - 2.4.2-6
+- Ignore badfuncs error in rpminspect (#1966688)
+
+* Wed Aug 04 2021 Lukas Javorsky <ljavorsk@redhat.com> - 2.4.2-5
+- Second rebuild against pcre2-10.37 (bug #1970765)
+
+* Tue Aug 03 2021 Ryan O'Hara <rohara@redhat.com> - 2.4.2-4
+- Apply patch to fix OpenSSL 3.0 build (#1984786)
+
+* Mon Aug 02 2021 Ryan O'Hara <rohara@redhat.com> - 2.4.2-3
+- Fix OpenSSL 3.0 build (#1984786)
+
+* Wed Jul 28 2021 Lukas Javorsky <ljavorsk@redhat.com> - 2.4.2-2
+- Rebuild against pcre2-10.37 (bug #1970765)
+
+* Mon Jul 12 2021 Ryan O'Hara <rohara@redhat.com> - 2.4.2-1
+- Update to 2.4.2 (#1966688)
+
+* Wed Jun 16 2021 Mohan Boddu <mboddu@redhat.com> - 2.4.0-3
+- Rebuilt for RHEL 9 BETA for openssl 3.0
+  Related: rhbz#1971065
+
+* Thu Jun 03 2021 Ryan O'Hara <rohara@redhat.com> - 2.4.0-2
+- Fix hardened builds (#1966688)
+
+* Tue Jun 01 2021 Ryan O'Hara <rohara@redhat.com> - 2.4.0-1
+- Update to 2.4.0 (#1966688)
+
+* Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com> - 2.3.4-3
+- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
+
+* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 2.3.4-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
+
+* Thu Jan 14 2021 Ryan O'Hara <rohara@redhat.com> - 2.3.4-1
+- Update to 2.3.4 (#1914447)
+
+* Tue Dec 08 2020 Ryan O'Hara <rohara@redhat.com> - 2.3.2-1
+- Update to 2.3.2 (#1894994)
+
+* Thu Oct 01 2020 Ryan O'Hara <rohara@redhat.com> - 2.2.4-1
+- Update to 2.2.4 (#1883742)
+    
+* Thu Sep 17 2020 Ryan O'Hara <rohara@redhat.com> - 2.2.3-2
+- Fix build for late loading of libgcc_s
+
+* Mon Sep 14 2020 Ryan O'Hara <rohara@redhat.com> - 2.2.3-1
+- Update to 2.2.3 (#1876932)
+    
+* Fri Jul 31 2020 Ryan O'Hara <rohara@redhat.com> - 2.2.2-1
+- Update to 2.2.2 (#1862400)
+
+* Mon Jul 27 2020 Ryan O'Hara <rohara@redhat.com> - 2.2.1-1
+- Update to 2.2.1 (#1859846)
+
+* Wed Jul 15 2020 Ryan O'Hara <rohara@redhat.com> - 2.2.0-3
+- Update systemd service file
+
+* Fri Jul 10 2020 Tom Callaway <spot@fedoraproject.org> - 2.2.0-2
+- Fix build against lua 5.4
+
+* Thu Jul 09 2020 Ryan O'Hara <rohara@redhat.com> - 2.2.0-1
+- Update to 2.2.0 (#1854519)
+
+* Mon Jun 15 2020 Ryan O'Hara <rohara@redhat.com> - 2.1.7-1
+- Update to 2.1.7 (#1845001)
+
+* Mon Jun 08 2020 Ryan O'Hara <rohara@redhat.com> - 2.1.6-1
+- Update to 2.1.6 (#1845001)
+
+* Mon Jun 01 2020 Ryan O'Hara <rohara@redhat.com> - 2.1.5-1
+- Update to 2.1.5 (#1841837)
+
+* Thu Apr 02 2020 Ryan O'Hara <rohara@redhat.com> - 2.1.4-1
+- Update to 2.1.4 (CVE-2010-11100, #1820200)
+
+* Mon Mar 16 2020 Ryan O'Hara <rohara@redhat.com> - 2.1.3-2
+- Fix invalid element address calculation (#1801109)
+
+* Wed Feb 12 2020 Ryan O'Hara <rohara@redhat.com> - 2.1.3-1
+- Update to 2.1.3 (#1802233)
+
+* Wed Jan 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 2.1.2-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
+
+* Thu Jan 02 2020 Ryan O'Hara <rohara@redhat.com> - 2.1.2-1
+- Update to 2.1.2 (#1782472)
+
+* Mon Nov 25 2019 Ryan O'Hara <rohara@redhat.com> - 2.0.10-1
+- Update to 2.0.10 (#1772961)
+
+* Wed Nov 06 2019 Ryan O'Hara <rohara@redhat.com> - 2.0.8-1
+- Update to 2.0.8 (#1764483)
+
+* Mon Oct 21 2019 Ryan O'Hara <rohara@redhat.com> - 2.0.7-2
+- Build with Prometheus exporter service (#1755839)
+
+* Mon Oct 21 2019 Ryan O'Hara <rohara@redhat.com> - 2.0.7-1
+- Update to 2.0.7 (#1742544)
+
+* Fri Sep 13 2019 Ryan O'Hara <rohara@redhat.com> - 2.0.6-1
+- Update to 2.0.6 (#1742544)
+
+* Mon Aug 19 2019 Ryan O'Hara <rohara@redhat.com> - 2.0.5-1
+- Update to 2.0.5 (#1742544)
+
+* Tue Jul 30 2019 Ryan O'Hara <rohara@redhat.com> - 2.0.3-1
+- Update to 2.0.3 (#1690492)
+
+* Tue Jul 30 2019 Ryan O'Hara <rohara@redhat.com> - 1.8.20-3
+- Build with PCRE2 (#1669217)
+
+* Thu Jul 25 2019 Fedora Release Engineering <releng@fedoraproject.org> - 1.8.20-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
+
+* Fri May 17 2019 Ryan O'Hara <rohara@redhat.com> - 1.8.20-1
+- Update to 1.8.20
+
+* Wed Feb 13 2019 Ryan O'Hara <rohara@redhat.com> - 1.8.19-1
+- Update to 1.8.19
+
+* Fri Feb 01 2019 Fedora Release Engineering <releng@fedoraproject.org> - 1.8.17-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
+
+* Thu Jan 24 2019 Petr Pisar <ppisar@redhat.com> - 1.8.17-3
+- Rebuild against patched libpcreposix library (bug #1667614)
+
+* Mon Jan 14 2019 Björn Esser <besser82@fedoraproject.org> - 1.8.17-2
+- Rebuilt for libcrypt.so.2 (#1666033)
+
+* Wed Jan 09 2019 Ryan O'Hara <rohara@redhat.com> - 1.8.17-1
+- Update to 1.8.17
+- Fix handling of priority flag in HEADERS frame in HTTP/2 decoder (CVE-2018-20615)
+
+* Sat Dec 22 2018 Ryan O'Hara <rohara@redhat.com> - 1.8.16-1
+- Update to 1.8.16
+
+* Thu Dec 13 2018 Ryan O'Hara <rohara@redhat.com> - 1.8.15-1
+- Update to 1.8.15
+- Fix denial of service attack via infinite recursion (CVE-2018-20103, #1658881)
+- Fix out-of-bound reads in dns_validate_dns_response (CVE-2018-20102, #1658882)
+
+* Sat Dec 01 2018 Ryan O'Hara <rohara@redhat.com> - 1.8.14-2
+- Use of crpyt() is not thread safe (#1643941)
+
+* Thu Sep 20 2018 Ryan O'Hara <rohara@redhat.com> - 1.8.14-1
+- Update to 1.8.14 (#1610066)
+
+* Mon Aug 20 2018 Ryan O'Hara <rohara@redhat.com> - 1.8.13-1
+- Update to 1.8.13 (#1610066)
+
+* Thu Aug 16 2018 Ryan O'Hara <rohara@redhat.com> - 1.8.12-4
+- Add BuildRequires gcc (#1604308)
+
+* Fri Jul 13 2018 Fedora Release Engineering <releng@fedoraproject.org> - 1.8.12-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
+
+* Tue Jul 10 2018 Ryan O'Hara <rohara@redhat.com> - 1.8.12-2
+- Fix ownership of /var/lib/haproxy/ to avoid selinux DAC override errors (#1597076)
+
+* Thu Jun 28 2018 Ryan O'Hara <rohara@redhat.com> - 1.8.12-1
+- Update to 1.8.12 (#1580036)
+
+* Wed Jun 27 2018 Ryan O'Hara <rohara@redhat.com> - 1.8.11-1
+- Update to 1.8.11 (#1580036)
+
+* Mon Jun 25 2018 Ryan O'Hara <rohara@redhat.com> - 1.8.10-1
+- Update to 1.8.10 (#1580036)
+
+* Mon May 21 2018 Ryan O'Hara <rohara@redhat.com> - 1.8.9-1
+- Update to 1.8.9 (#1580036)
+
+* Thu May 10 2018 Ryan O'Hara <rohara@redhat.com> - 1.8.8-2
+- Build with USE_GETADDRINFO option
+
+* Thu Apr 19 2018 Ryan O'Hara <rohara@redhat.com> - 1.8.8-1
+- Update to 1.8.8 (#1560121)
+
+* Mon Apr 09 2018 Ryan O'Hara <rohara@redhat.com> - 1.8.7-1
+- Update to 1.8.7 (#1560121)
+
+* Fri Apr 06 2018 Ryan O'Hara <rohara@redhat.com> - 1.8.6-1
+- Update to 1.8.6 (#1560121)
+
+* Mon Mar 26 2018 Ryan O'Hara <rohara@redhat.com> - 1.8.5-1
+- Update to 1.8.5 (#1560121)
+
+* Mon Feb 26 2018 Ryan O'Hara <rohara@redhat.com> - 1.8.4-2
+- Define USE_SYSTEMD at build time (#1549027)
+
+* Mon Feb 26 2018 Ryan O'Hara <rohara@redhat.com> - 1.8.4-1
+- Update to 1.8.4 (#1543668)
+
+* Thu Feb 08 2018 Florian Weimer <fweimer@redhat.com> - 1.8.3-5
+- Build halog and iprange with linker flags from redhat-rpm-config
+- Tell build to include <crypt.h>
+
+* Wed Feb 07 2018 Fedora Release Engineering <releng@fedoraproject.org> - 1.8.3-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
+
+* Sat Jan 20 2018 Björn Esser <besser82@fedoraproject.org> - 1.8.3-3
+- Rebuilt for switch to libxcrypt
+
+* Fri Jan 05 2018 Ryan O'Hara <rohara@redhat.com> - 1.8.3-2
+- Remove haproxy-systemd-wrapper
+
+* Fri Jan 05 2018 Ryan O'Hara <rohara@redhat.com> - 1.8.3-1
+- Update to 1.8.3 (#1528829)
+
+* Wed Dec 27 2017 Ryan O'Hara <rohara@redhat.com> - 1.8.2-1
+- Update to 1.8.2
+
+* Fri Dec 15 2017 Ryan O'Hara <rohara@redhat.com> - 1.8.1-1
+- Update to 1.8.1
+
+* Fri Dec 15 2017 Ryan O'Hara <rohara@redhat.com> - 1.8.0-1
+- Update to 1.8.0
+
+* Mon Sep 11 2017 Ryan O'Hara <rohara@redhat.com> - 1.7.9-1
+- Update to 1.7.9 (#1485084)
+
+* Wed Aug 02 2017 Fedora Release Engineering <releng@fedoraproject.org> - 1.7.8-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild
+
+* Wed Jul 26 2017 Fedora Release Engineering <releng@fedoraproject.org> - 1.7.8-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
+
+* Mon Jul 10 2017 Ryan O'Hara <rohara@redhat.com> - 1.7.8-1
+- Update to 1.7.8 (#1436669)
+
+* Mon May 01 2017 Ryan O'Hara <rohara@redhat.com> - 1.7.3-2
+- Use KillMode=mixed in systemd service file (#1447085)
+
+* Sun Mar 26 2017 Ryan O'Hara <rohara@redhat.com> - 1.7.3-1
+- Update to 1.7.3 (#1413276)
+
+* Fri Feb 10 2017 Fedora Release Engineering <releng@fedoraproject.org> - 1.7.2-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild
+
+* Wed Jan 18 2017 Ryan O'Hara <rohara@redhat.com> - 1.7.2-1
+- Update to 1.7.2 (#1413276)
+
+* Thu Dec 29 2016 Ryan O'Hara <rohara@redhat.com> - 1.7.1-1
+- Update to 1.7.1
+
+* Mon Nov 28 2016 Ryan O'Hara <rohara@redhat.com> - 1.7.0-1
+- Update to 1.7.0
+
+* Mon Nov 21 2016 Ryan O'Hara <rohara@redhat.com> - 1.6.10-1
+- Update to 1.6.10 (#1397013)
+
+* Wed Aug 31 2016 Ryan O'Hara <rohara@redhat.com> - 1.6.9-1
+- Update to 1.6.9 (#1370709)
+
+* Thu Jul 14 2016 Ryan O'Hara <rohara@redhat.com> - 1.6.7-2
+- Fix main frontend in default config file (#1348674)
+
+* Thu Jul 14 2016 Ryan O'Hara <rohara@redhat.com> - 1.6.7-1
+- Update to 1.6.7 (#1356578)
+
+* Tue Jun 28 2016 Ryan O'Hara <rohara@redhat.com> - 1.6.6-2
+- Remove patch for CVE-2016-5360
+
+* Tue Jun 28 2016 Ryan O'Hara <rohara@redhat.com> - 1.6.6-1
+- Update to 1.6.6 (#1350426)
+
+* Wed Jun 15 2016 Ryan O'Hara <rohara@redhat.com> - 1.6.5-3
+- Fix reqdeny causing random crashes (CVE-2016-5360, #1346672)
+
+* Fri Jun 03 2016 Ryan O'Hara <rohara@redhat.com> - 1.6.5-2
+- Utilize system-wide crypto-policies (#1256253)
+
+* Mon May 23 2016 Ryan O'Hara <rohara@redhat.com> - 1.6.5-1
+- Update to 1.6.5 (#1317313)
+
+* Wed Feb 03 2016 Fedora Release Engineering <releng@fedoraproject.org> - 1.6.3-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild
+
+* Wed Jan 20 2016 Ryan O'Hara <rohara@redhat.com> - 1.6.3-1
+- Update to 1.6.3 (#1276288)
+
+* Wed Nov 18 2015 Ryan O'Hara <rohara@redhat.com> - 1.6.2-3
+- Enable Lua support
+
+* Tue Nov 03 2015 Ryan O'Hara <rohara@redhat.com> - 1.6.2-2
+- Update to 1.6.2 (#1276288)
+
+* Fri Oct 30 2015 Ryan O'Hara <rohara@redhat.com> - 1.6.1-1
+- Update to 1.6.1 (#1276288)
+
+* Mon Jul 06 2015 Ryan O'Hara <rohara@redhat.com> - 1.5.14-1
+- Update to 1.5.14 (CVE-2015-3281, #1239181)
+
+* Fri Jun 26 2015 Ryan O'Hara <rohara@redhat.com> - 1.5.13-1
+- Update to 1.5.13 (#1236056)
+
+* Wed Jun 17 2015 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.5.12-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild
+
+* Tue May 05 2015 Ryan O'Hara <rohara@redhat.com> - 1.5.12-2
+- Remove unused patches
+
+* Tue May 05 2015 Ryan O'Hara <rohara@redhat.com> - 1.5.12-1
+- Update to 1.5.12 (#1217922)
+
+* Wed Mar 04 2015 Ryan O'Hara <rohara@redhat.com> - 1.5.11-4
+- Rework systemd service and sysconfig file
+
+* Wed Feb 11 2015 Ryan O'Hara <rohara@redhat.com> - 1.5.11-3
+- Add sysconfig file
+
+* Tue Feb 10 2015 Ryan O'Hara <rohara@redhat.com> - 1.5.11-2
+- Add tcp-ut bind option to set TCP_USER_TIMEOUT (#1190783)
+
+* Sun Feb 01 2015 Ryan O'Hara <rohara@redhat.com> - 1.5.11-1
+- Update to 1.5.11 (#1188029)
+
+* Mon Jan 05 2015 Ryan O'Hara <rohara@redhat.com> - 1.5.10-1
+- Update to 1.5.10
+
+* Mon Dec 01 2014 Ryan O'Hara <rohara@redhat.com> - 1.5.9-1
+- Update to 1.5.9
+
+* Sat Nov 01 2014 Ryan O'Hara <rohara@redhat.com> - 1.5.8-1
+- Update to 1.5.8
+
+* Thu Oct 30 2014 Ryan O'Hara <rohara@redhat.com> - 1.5.7-1
+- Update to 1.5.7
+
+* Mon Oct 20 2014 Ryan O'Hara <rohara@redhat.com> - 1.5.6-1
+- Update to 1.5.6
+
+* Wed Oct 08 2014 Ryan O'Hara <rohara@redhat.com> - 1.5.5-1
+- Update to 1.5.5
+
+* Tue Sep 02 2014 Ryan O'Hara <rohara@redhat.com> - 1.5.4-1
+- Update to 1.5.4
+
+* Sat Aug 16 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.5.3-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild
+
+* Wed Aug 06 2014 Ryan O'Hara <rohara@redhat.com> - 1.5.3-2
+- Use haproxy-systemd-wrapper in service file (#1126955)
+
+* Fri Jul 25 2014 Ryan O'Hara <rohara@redhat.com> - 1.5.3-1
+- Update to 1.5.3
+
+* Tue Jul 15 2014 Ryan O'Hara <rohara@redhat.com> - 1.5.2-1
+- Update to 1.5.2
+
+* Tue Jun 24 2014 Ryan O'Hara <rohara@redhat.com> - 1.5.1-1
+- Update to 1.5.1
+
+* Thu Jun 19 2014 Ryan O'Hara <rohara@redhat.com> - 1.5.0-2
+- Build with zlib and openssl support
+
+* Thu Jun 19 2014 Ryan O'Hara <rohara@redhat.com> - 1.5.0-1
+- Update to 1.5.0
+
+* Sat Jun 07 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.4.25-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild
+
+* Thu Mar 27 2014 Ryan O'Hara <rohara@redhat.com> - 1.4.25-1
+- Update to 1.4.25
+
+* Sat Aug 03 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.4.24-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild
+
+* Mon Jun 17 2013 Ryan O'Hara <rohara@redhat.com> - 1.4.24-1
+- Update to 1.4.24 (CVE-2013-2174, #975160)
+
+* Tue Apr 30 2013 Ryan O'Hara <rohara@redhat.com> - 1.4.23-3
+- Build with PIE flags (#955182)
+
+* Mon Apr 22 2013 Ryan O'Hara <rohara@redhat.com> - 1.4.23-2
+- Build with PIE flags (#955182)
+
+* Tue Apr 02 2013 Ryan O'Hara <rohara@redhat.com> - 1.4.23-1
+- Update to 1.4.23 (CVE-2013-1912, #947697)
+- Drop supplementary groups after setuid/setgid (#894626)
+
+* Thu Feb 14 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.4.22-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild
+
+* Fri Oct 12 2012 Robin Lee <cheeselee@fedoraproject.org> - 1.4.22-1
+- Update to 1.4.22 (CVE-2012-2942, #824544)
+- Use linux2628 build target
+- No separate x86_64 build target for halog
+- halog build honors rpmbuild optflags
+- Specfile cleanup
+
+* Mon Sep 17 2012 Václav Pavlín <vpavlin@redhat.com> - 1.4.20-3
+- Scriptlets replaced with new systemd macros (#850143)
+
+* Thu Jul 19 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.4.20-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild
+
+* Tue Apr 03 2012 Jeremy Hinegardner <jeremy at hinegardner dot org> - 1.4.20-1
+- Update to 1.4.20
+
+* Sun Feb 19 2012 Jeremy Hinegardner <jeremy at hinegardner dot org> - 1.4.19-4
+- fix haproxy.services file
+
+* Sun Feb 19 2012 Jeremy Hinegardner <jeremy at hinegardner dot org> - 1.4.19-3
+- Update to use systemd fixing bug #770305
+
+* Fri Feb 10 2012 Petr Pisar <ppisar@redhat.com> - 1.4.19-2
+- Rebuild against PCRE 8.30
+
+* Sun Jan 29 2012 Jeremy Hinegardner <jeremy at hinegardner dot org> - 1.4.19-1
+- Update to 1.4.19
+
+* Fri Jan 13 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.4.18-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild
+
+* Thu Sep 22 2011 Jeremy Hinegardner <jeremy at hinegardner dot org> - 1.4.18-1
+- Update to 1.4.18
+
+* Tue Apr 26 2011 Jeremy Hinegardner <jeremy at hinegardner dot org> - 1.4.15-1
+- Update to 1.4.15
+
+* Sun Feb 27 2011 Jeremy Hinegardner <jeremy at hinegardner dot org> - 1.4.11-1
+- update to 1.4.11
+
+* Wed Feb 09 2011 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.4.8-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild
+
+* Sun Dec 12 2010 Jeremy Hinegardner <jeremy at hinegardner dot org> - 1.4.9-1
+- update to 1.4.9
+
+* Sun Jun 20 2010 Jeremy Hinegardner <jeremy at hinegardner dot org> - 1.4.8-1
+- update to 1.4.8
+
+* Sun May 30 2010 Jeremy Hinegardner <jeremy at hinegardner dot org> - 1.4.6-1
+- update to 1.4.6
+
+* Thu Feb 18 2010 Jeremy Hinegardner <jeremy at hinegardner dot org> - 1.3.23-1
+- update to 1.3.23
+
+* Sat Oct 17 2009 Jeremy Hinegardner <jeremy at hinegardner dot org> - 1.3.22-1
+- update to 1.3.22
+- added logrotate configuration
+
+* Mon Oct 12 2009 Jeremy Hinegardner <jeremy at hinegardner dot org> - 1.3.21-1
+- update to 1.3.21
+
+* Sun Oct 11 2009 Jeremy Hinegardner <jeremy at hinegardner dot org> - 1.3.20-1
+- update to 1.3.20
+
+* Sun Aug 02 2009 Jeremy Hinegardner <jeremy at hinegardner dot org> - 1.3.19-1
+- update to 1.3.19
+
+* Fri Jul 24 2009 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.3.18-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild
+
+* Sun May 17 2009 Jeremy Hinegardner <jeremy at hinegardner dot org> - 1.3.18-1
+- update to 1.3.18
+
+* Sat Apr 11 2009 Jeremy Hinegardner <jeremy at hinegardner dot org> - 1.3.17-1
+-  Update to 1.3.17
+
+* Tue Feb 24 2009 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.3.15.7-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild
+
+* Tue Dec 30 2008 Jeremy Hinegardner <jeremy at hinegardner dot org> - 1.3.15.7-1
+- update to 1.3.15.7
+- remove upstream patches, they are now part of source distribution
+
+* Sat Nov 22 2008 Jeremy Hinegardner <jeremy at hinegardner dot org> - 1.3.15.6-2
+- apply upstream patches 
+
+* Sat Nov 15 2008 Jeremy Hinegardner <jeremy at hinegardner dot org> - 1.3.15.6-1
+- update to 1.3.15.6
+- use new build targets from upstream
+- add in recommended build options for x86 from upstream
+
+* Sat Jun 28 2008 Jeremy Hinegardner <jeremy at hinegardner dot org> - 1.3.14.6-1
+- update to 1.3.14.6
+- remove gcc 4.3 patch, it has been applied upstream
+- remove MIT license as that code has been removed from upstream
+
+* Mon Apr 14 2008 Jeremy Hinegardner <jeremy at hinegardner dot org> - 1.3.14.4-1
+- update to 1.3.14.4
+
+* Sun Mar 16 2008 Jeremy Hinegardner <jeremy at hinegardner dot org> - 1.3.14.3-1
+- update to 1.3.14.3
+
+* Sat Mar 01 2008 Jeremy Hinegardner <jeremy at hinegardner dot org> - 1.3.14.2-4
+- apply the gcc 4.3 patch to the build process
+
+* Sat Mar 01 2008 Jeremy Hinegardner <jeremy at hinegardner dot org> - 1.3.14.2-3
+- fix gcc 4.3 bug [#434144]
+- update init script to properly reload configuration
+
+* Tue Feb 19 2008 Fedora Release Engineering <rel-eng@fedoraproject.org> - 1.3.14.2-2
+- Autorebuild for GCC 4.3
+
+* Sun Jan 20 2008 Jeremy Hinegardner <jeremy at hinegardner dot org> - 1.3.14.2-1
+- update to 1.3.14.2
+- update make flags that changed with this upstream release
+- added man page installation
+
+* Sun Dec 16 2007 Jeremy Hinegardner <jeremy at hinegardner dot org> - 1.3.14-1
+- update to 1.3.14
+
+* Mon Nov 05 2007 Jeremy Hinegardner <jeremy@hinegardner.org> - 1.3.12.4-1
+- update to 1.3.12.4
+
+* Thu Nov 01 2007 Jeremy Hinegardner <jeremy@hinegardner.org> - 1.3.12.3-1
+- update to 1.3.12.3
+
+* Fri Sep 21 2007 Jeremy Hinegardner <jeremy@hinegardner.org> - 1.3.12.2-3
+- fix init script 'reload' task
+
+* Thu Sep 20 2007 Jeremy Hinegardner <jeremy@hinegardner.org> - 1.3.12.2-2
+- update License field
+
+* Thu Sep 20 2007 Jeremy Hinegardner <jeremy@hinegardner.org> - 1.3.12.2-1
+- update to 1.3.12.2
+- remove the upstream patch
+
+* Tue Sep 18 2007 Jeremy Hinegardner <jeremy@hinegardner.org> - 1.3.12.1-1
+- switch to 1.3.12.1 branch
+- add patch from upstream with O'Reilly licensing updates.
+- convert ISO-8859-1 doc files to UTF-8
+
+* Sat Mar 24 2007 Jeremy Hinegardner <jeremy@hinegardner.org> - 1.2.17-2
+- addition of haproxy user
+- add license information
+
+* Fri Mar 23 2007 Jeremy Hinegardner <jeremy@hinegardner.org> - 1.2.17-1
+- initial packaging
diff --git a/haproxy.sysconfig b/haproxy.sysconfig
new file mode 100644
index 0000000..2b38e35
--- /dev/null
+++ b/haproxy.sysconfig
@@ -0,0 +1,4 @@
+# Add extra options to the haproxy daemon here. This can be useful for
+# specifying multiple configuration files with multiple -f options.
+# See haproxy(1) for a complete list of options.
+OPTIONS=""
diff --git a/haproxy.sysusers b/haproxy.sysusers
new file mode 100644
index 0000000..f17003a
--- /dev/null
+++ b/haproxy.sysusers
@@ -0,0 +1 @@
+u haproxy - "haproxy" /var/lib/haproxy
diff --git a/sources b/sources
new file mode 100644
index 0000000..1a4e81f
--- /dev/null
+++ b/sources
@@ -0,0 +1 @@
+706c9e4d44afeaac3b2a66b37e5551fd  haproxy-2.4.22.tar.gz